b'                                  SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                    UNITED STATES DEPARTMENT OF STATE\n                AND THE BROADCASTING BOARD OF GOVERNORS\n                               OFFICE OF INSPECTOR GENERAL\n\n\nAUD-IT-14-33                                    Office of Audits                                   September 2014\n\n\n\n\n         Audit of International Boundary and Water Commission,\n                  United States and Mexico, U.S. Section,\n                       Information Security Program\n\n\n\n\nIMPORTANT NOTICE: This report is intended solely for the official use of the Department of State or the\nBroadcasting Board of Governors, or any agency or organization receiving a copy directly from the Office of\nInspector General. No secondary distribution may be made, in whole or in part, outside the Department of State or\nthe Broadcasting Board of Governors, by them or by other agencies of organizations, without prior authorization by\nthe Inspector General. Public availability of the document will be determined by the Inspector General under the\nU.S. Code, 5 U.S.C. 552. Improper disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n                                                               United States Department of State\n                                                               and the Broadcasting Board of Governors\n\n                                                               Office of Inspector General\n\n\n\n\n                                            (U) PREFACE\n\n       (U) This report was prepared by the Office of Inspector General (OIG) pursuant to the\nInspector General Act of 1978, as amended, and Section 209 of the Foreign Service Act of 1980,\nas amended. It is one of a series of audit, inspection, investigative, and special reports prepared\nby OIG periodically as part of its responsibility to promote effective management,\naccountability, and positive change in the Department of State and the Broadcasting Board of\nGovernors.\n\n        (U) This report is the result of an assessment of the strengths and weaknesses of the\noffice, post, or function under review. It is based on interviews with employees and officials of\nrelevant agencies and institutions, direct observation, and a review of applicable documents.\n\n        (U) The recommendations therein have been developed on the basis of the best\nknowledge available to OIG and, as appropriate, have been discussed in draft with those\nresponsible for implementation. It is my hope that these recommendations will result in more\neffective, efficient, and/or economical operations.\n\n          (U) I express my appreciation to all of those who contributed to the preparation of this\nreport.\n\n\n\n\n                                                (U) Norman P. Brown\n                                                (U) Assistant Inspector General\n                                                     for Audits\n\n\n\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n______________________________________________________________\n(U) Acronyms\n(U) FISMA    Federal Information Security Management Act\n(U) GSS      General Support System\n(U) IBWC     International Boundary and Water Commission\n(U) NIST     National Institute of Standards and Technology\n(U) OIG      Office of Inspector General\n(U) SBIWTP   South Bay International Wastewater Treatment Plant\n(U) SCADA    Supervisory Control and Data Acquisition\n(U) SP       Special Publication\n\n\n\n\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                                            SENSITIVE BUT UNCLASSIFIED\n\n\n                                                    (U) Table of Contents\n\n(U) Section                                                                                                                         (U) Page\n\n(U) Executive Summary ................................................................................................................. 1\n\n\n(U) Background .............................................................................................................................. 2\n\n\n(U) Objective .................................................................................................................................. 4\n\n\n(U) Audit Results ............................................................................................................................ 5\n    (U) Finding A.[Redacted] (b) (5)\n                          ............................................................................................................... 5\n    (U) Finding B. [Redacted] (b) (5)\n                     ........................................................................................................................ 6\n    (U) Finding C. [Redacted] (b) (5)                                                                                                ........... 7\n    (U) Finding D. [Redacted] (b) (5)                                          Remains Vulnerable to Outsider Attacks\n    and Insider Threats ..................................................................................................................... 8\n    (U) Finding E. IBWC Made Notable Improvements With its Information Security Program .. 9\n\n\n(U) List of Recommendations....................................................................................................... 11\n\n\n(U) Appendices\n    (U) A. Scope and Methodology ............................................................................................... 12\n    (U) B. Office of Inspector General FY 2013 Federal Information Security Management Act\n    Report Statuses of Recommendations...................................................................................... 14\n    (U) C. IBWC Management Responses .................................................................................... 20\n\n\n(U) Major Contributors to This Report ......................................................................................... 23\n\n\n\n\n                                            SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n\n                                      (U) Executive Summary\n        (U) In accordance with the Federal Information Security Management Act of 2002 1\n(FISMA), the Department of State (Department), Office of Inspector General (OIG), conducted\nan audit of the U.S. Section, International Boundary and Water Commission (IBWC),\ninformation security program and practices. The purpose of the audit was to determine\ncompliance with Federal laws, regulations, and standards established by FISMA, the Office of\nManagement and Budget (OMB), and the National Institute of Standards and Technology\n(NIST). In addition, OIG reviewed IBWC\xe2\x80\x99s corrective actions to address weaknesses identified\nin OIG\xe2\x80\x99s FY 2013 report. 2 OIG closed 22 of 27 recommendations in the FY 2013 report. The\nstatus of each recommendation from OIG\xe2\x80\x99s FY 2013 report is presented in Appendix B.\n\n       (U) During FY 2014, OIG conducted field work at IBWC\xe2\x80\x99s U.S. Section headquarters in\nEl Paso, TX; South Bay International Wastewater Treatment Plant (SBIWTP) and field office in\nSan Diego, CA; Nogales International Wastewater Treatment Plant in Nogales, AZ; Amistad\nDam and field office in Del Rio, TX; and the General Support System (GSS) continuity of\noperations site in Las Cruces, NM.\n\n        (SBU) Overall, OIG found that IBWC had implemented an information security program.\nThe Information Management Division, led by its Information System Security Manager, with\nguidance from IBWC\xe2\x80\x99s Chief Administrative Officer and support from the Commissioner, made\nsignificant progress on previously identified weaknesses. For example, IBWC established a\nContinuous Security Monitoring program for its GSS, developed authorization packets for its\nGSS and Supervisory Control and Data Acquisition (SCADA) systems, 3 cleared multiple\npersonnel requiring enhanced background investigations, developed contingency documentation,\nand implemented a multifactor authentication solution for logical access.\n\n        (SBU) Notwithstanding the progress made by IBWC, OIG identified the following\ncontrol weaknesses related to four security control areas:\n\n        \xe2\x80\xa2   (SBU) [Redacted] (b) (5)                                                                  .\n            (Finding A)\n        \xe2\x80\xa2   (SBU) IBWC\xe2\x80\x99s [Redacted] (b) (5)                                                         policy. In\n            addition, [Redacted] (b) (5)\n            [Redacted] (b) (5)                                                 . (Finding B)\n        \xe2\x80\xa2   (SBU) IBWC had        not [Redacted] (b) (5)                                                   .\n            (Finding C)\n\n\n\n\n1\n  (U) E-Government Act of 2002, Pub. L. No. 107-347, tit. III, 116 Stat. 2946 (2002).\n2\n  (U) Audit of International Boundary and Water Commission, United States and Mexico, U.S. Section, Information\nSecurity Program (AUD/IT-13-39, September 2013).\n3\n  (U) A SCADA system performs centralized monitoring and control for field sites over long-distance\ncommunications networks, including monitoring alarms and processing status data.\n                                               1\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n       \xe2\x80\xa2   (SBU) IBWC\xe2\x80\x99s [Redacted] (b) (5)                                    . In addition,\n           IBWC included contractor-owned inventory in the Integrated Logistics Management\n           System. (Finding D)\n\n        (SBU) OIG made six recommendations to IBWC intended to improve its information\nsecurity program and practices. In July 2014, OIG provided a draft of this report to IBWC. In its\nJuly 29, 2014, response (Appendix C) to the draft report, IBWC concurred with all six\nrecommendations. Based on the comments received, OIG considers all six recommendations\nresolved, pending further action. IBWC\xe2\x80\x99s management responses to the recommendations and\nOIG\xe2\x80\x99s analysis to the responses are presented after each recommendation.\n\n                                      (U) Background\n       (U) IBWC is a binational commission, established to apply boundary and water treaties\nand agreements between the United States and Mexico. IBWC consists of a U.S. Section and a\nMexican Section. The organization of IBWC\xe2\x80\x99s U.S. Section is shown in Figure 1. Each Section\nis administered independently of the other, and is headed by an Engineer Commissioner, who is\nappointed by his respective President. The U.S. Section receives foreign policy guidance from\nthe U.S. Department of State, while the Mexican Section is administratively linked to the\nSecretariat of Foreign Relations of Mexico. The joint mission of the U.S. Section and the\nMexican Section is as follows:\n\n       \xe2\x80\xa2   (U) Distribute the waters of the boundary-rivers between the two countries.\n       \xe2\x80\xa2   (U) Operate international flood control along the boundary-rivers.\n       \xe2\x80\xa2   (U) Operate the international reservoirs for conservation and regulation of Rio\n              Grande waters for the two countries.\n       \xe2\x80\xa2   (U) Improve the quality of water of international rivers.\n       \xe2\x80\xa2   (U) Resolve border sanitation issues.\n       \xe2\x80\xa2   (U) Develop hydroelectric power.\n       \xe2\x80\xa2   (U) Establish the boundary in the area bordering the Rio Grande.\n       \xe2\x80\xa2   (U) Demarcate the land boundary.\n\n\n\n\n                                          2\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                      SENSITIVE BUT UNCLASSIFIED\n\n(U) Figure 1. U.S. Section of IBWC Organizational Chart\n\n\n\n\n                           F04\'eign       Public           ~eg a I                            Human                Washington\n                           Affairs        Affairs         A ffairs                            Capital              DC Li aison\n\n\n\n\n                                                                     Engineering                  Administration\n                                                                     Department                    Department\n\n\n\n                                                                                                                      Budget\n                                                    Environmental                                                     Division\n                                                    Management\n                                                      Division\n\n                                                                                                                     Finance &\n                                                                                                                    Accounting\n                                                     Engineering                                                      Division\n                                                                                Master Planning\n                                                       Services                    Division\n                                                       Divisi on\n                                                                                                                    Acquisition\n                                                                                                                      Division\n                                                     Con strucUon               Boundary and\n                                                        Office                  Realty Office\n                                                                                                                    lnfotmation\n                                                                                                                   Management\n                                                                                                                      Division\n\n\n\n                                                                                                         Records                    Asset\n                                                                                                        Management               M anagem ent\n                                                                                                          Office                    Office\n\n\n\n                                                                     \xe2\x80\xa2 Notes:\n                                                                         The Office of the Commissioner includes the Equal\n                                                                         Employment Opportunity and I nternal Audit P rograms.\n                                                                         The Speci al Operations Division manages the security,\n                                                                         and the Safety and Health Program s.\n                                                                         The American Dam/CarlOs Marin Field Office is located\n                                                                         in El Paso, TX.\n                                                                         The Environmental Management Division manages-the\n                                                                         Texas C lean Rivers and GIS Programs.\n                                                                         The Master Planning DiviSion manages the Strategic\n                                                                         Planning and Capital Plannir)g Program s .\n\n\n\n\n(U) Source: This chart is an excerpt from the IBWC FY 2011-2016 Strategic Plan.\n\n        (U) The U.S. Section owns the contractor-operated SBIWTP, which is responsible for\n meeting the Clean Water Act requirements mandated by the State of California. The SBIWTP\n\n                                                   3\n                                      SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\ndischarges the clean water into the Pacific Ocean. The U.S. Section also maintains and operates\nthe Nogales International Wastewater Treatment Plant in accordance with the Clean Water Act\ndischarge standards mandated by Arizona. Each wastewater treatment plant has a SCADA\nsystem. Based on information received from remote stations, automated or operator-driven\nsupervisory commands are controlled by remote station control devices, which are often referred\nto as field devices. Field devices control local operations such as opening and closing valves and\nbreakers, collecting data from sensor systems, and monitoring the local environment for alarm\nconditions.\n\n     (U) FISMA was enacted into law as Title III, Public Law Number 107-347, on\nDecember 17, 2002. Key requirements of FISMA are as follows:\n\n       \xe2\x80\xa2   (U) The establishment of an agency-wide information security program to provide\n           information security for the information and information systems that support the\n           operations and assets of the agency, including those provided or managed by another\n           agency, contractor, or other source.\n       \xe2\x80\xa2   (U) An annual independent evaluation of the agency\xe2\x80\x99s information security programs\n           and practices.\n       \xe2\x80\xa2   (U) An assessment of compliance with FISMA requirements.\n\n        (U) FISMA assigns specific responsibilities to NIST, OMB, and the Department of\nHomeland Security and other Federal agencies for the purpose of strengthening information\nsystem security throughout the Federal Government. In particular, FISMA requires the head of\neach agency to implement policies and procedures to cost effectively reduce information\ntechnology security risks to an acceptable level. To ensure the adequacy and effectiveness of\ninformation system controls, FISMA requires agency program officials, chief information\nofficers, chief information security officers, senior agency officials for privacy, and inspectors\ngeneral to conduct annual reviews of the agency\xe2\x80\x99s information security program and report the\nresults to the Department of Homeland Security.\n\n       (U) The U.S. Section is developing and implementing information technology policies\nand procedures to meet requirements mandated by FISMA, OMB, and NIST for its information\nsystems. The Section has also entered into agreements with third parties to help meet FISMA\ncompliance.\n\n                                         (U) Objective\n        (U) The objective of the audit was to assess the effectiveness of IBWC\xe2\x80\x99s information\nsecurity program in FY 2014. Specifically, OIG assessed risk management, configuration\nmanagement, incident response and reporting, security training, plan of action and milestones,\nremote access management, identity and access management, continuous monitoring,\ncontingency planning, oversight of contractor systems, security capital planning, access controls,\npersonnel security, and physical and environmental protection.\n\n\n                                           4\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n                                          (U) Audit Results\n\n(U) Finding A. [Redacted] (b) (5)\n\n\n        (SBU) For FY 2014, IBWC executed a contract with Aitheras, who subcontracted\nTruShield to perform [Redacted] (b) (5)      of its GSS. TruShield provided IBWC with weekly\nstatus updates and monthly vulnerability scans. However, IBWC had not [Redacted]\n[Redacted] (b) (5)                                                               (b) (5)\n\n\n        (SBU) [Redacted] (b) (5)\n                                                                                [Redacted] (b) (5)\n\n\n                                                                        Although IBWC was\naware of the NIST requirement for its SCADA systems, [Redacted] (b) (5)\n                                                      Therefore, IBWC contracted Veolia to\nensure the SCADA systems were FISMA compliant; however, Veolia did not perform the\ncontractual work, which included [Redacted] (b) (5)   . Because Veolia had not performed the\nrequired work, IBWC utilized TruShield to develop [Redacted] (b) (5)\n                                   The SCADA [Redacted] is currently in draft.\n                                                      (b) (5)\n        (SBU) Without an     [Redacted] (b) (5)\n                             there is an increased risk that the [Redacted] (b) (5)\n                                                               leading to potential damage or\ndisruption to IBWC\xe2\x80\x99s SCADA systems. In addition, environmental hazards could occur resulting\nin fines and lawsuits for IBWC. 5\n\n        (SBU) Recommendation 1. OIG recommends that the International Boundary and Water\n        Commission (IBWC [Redacted] (b) (5)\n                                                                 , as required by National\n        Institute of Standards and Technology Special Publication 800-53, Revision 3.\n\n        (SBU) Management Response: IBWC concurred with the recommendation, stating that\n        it would obtain an [Redacted] (b) (5)\n\n\n\n\n4\n  (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems and\nOrganizations,\xe2\x80\x9d CA-7 [Redacted] (b) (5)        Aug. 2009 (last updated May 2010).\n5\n  (U) Lauren Steussy and Paul Krueger, \xe2\x80\x9cSewage Flowed into Local Waters without Notice: Report,\xe2\x80\x9d NBC 7 San\nDiego, April 12, 2012, <http://www.nbcsandiego.com/news/local/Sewage-Spilled-in-Local-Waters-without-Notice-\n147198795.html >, accessed on June 17, 2014.\n\n                                              5\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n        (U) OIG Reply: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts the [Redacted] (b) (5)        for each\n        SCADA system.\n\n(U) Finding B.[Redacted] (b) (5)\n\n\n       (SBU) In FY 2014, IBWC established a testing process for changes to its GSS. However,\nIBWC determined that its [Redacted] (b) (5)\n        because of the high availability and sensitivity requirements necessary for the system.\nTherefore, IBWC executed a contract 7 to develop an [Redacted] (b) (5)\n             However, at the time of OIG\xe2\x80\x99s site visit in March 2014, IBWC had not [ Redacted]\n                                                                                                 ( b) (5)\n\n\n\n      (SBU) [Redacted] (b) (5)                                                                         . NIST\nSP 800-53, Revision 3, states that the organization [Redacted] (b) (5)\n[Redacted] (b) (5)\n\n\n                         \xe2\x80\x9d IBWC\xe2\x80\x99s [Redacted] (b) (5)\n       because of the Information Management Division\xe2\x80\x99s [Redacted] (b) (5) . Without a\n[Redacted] (b) (5)                unapproved and untested changes to the SCADA systems\ncould occur that would compromise the confidentiality, integrity, and availability of the systems.\n\n        (SBU) In addition, OIG found that IBWC\xe2\x80\x99s [Redacted] (b) (5)\n                                                                                        NIST SP 800-82 9\nstates that the[Redacted] (b) (5)\n\n                                                              Because [Redacted] (b) (5)\n\n\n                                                         since our last reporting. Without an\n[Redacted] (b) (5)                                                         , IBWC\xe2\x80\x99s SCADA\nsystems are more susceptible to security weaknesses and denial of service.\n\n        (SBU) Recommendation 2. OIG recommends that the International Boundary and Water\n        Commission [Redacted] (b) (5)\n                                                   that includes [Redacted] (b) (5) , as\n\n\n6\n  (U) IBWC\xe2\x80\x99s IT System C&A Inventory Guide, Appendix A, states, \xe2\x80\x9cA loss of availability of information could\nresult in severe or catastrophic adverse effect which may cause a severe degradation in or loss of mission\ncapability.\xe2\x80\x9d\n7\n  (U) Aitheras with subcontractor TruShield.\n8\n  (U) NIST SP 800-53, rev. 3, [Redacted] (b) (5)\n9\n  (U) NIST SP 800-82, \xe2\x80\x9cGuide to Industrial Control Systems (ICS) Security,\xe2\x80\x9d June 2011.\n                                              6\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n        required by National Institute of Standards and Technology Special Publication 800-53,\n        Revision 3.\n\n        (SBU) Management Response: IBWC concurred with the recommendation, stating that\n                                                                                   [Redacted] (b) (5)\n        it had completed a risk assessment for both SCADA systems, leading to an\n                                                                                  [Redacted] (b) (5)\n                expected to be completed in FY 2014. IBWC further stated that the\n                                                            would be implemented in 2015.\n\n        (U) OIG Reply: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and accepts the [Redacted] (b) (5)\n\n        (SBU) Recommendation 3. OIG recommends that the International Boundary and Water\n        Commission [Redacted] (b) (5)\n                                      as required by National Institute of Standards and\n        Technology Special Publication 800-82.\n\n        (SBU) Management Response: IBWC concurred with the recommendation, stating that\n                                                                                  [Redacted] (b) (5)\n        it had completed a risk assessment for both SCADA systems and that the\n                                                    IBWC further stated that the [Redacted] (b) (5)\n                                                                                         [Redacted] (b) (5)\n                                                        the end of 2014 and that the\n                 will be awarded by the end of FY 2014 and will be implemented in FY 2015.\n\n        (U) OIG Reply: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews the [Redacted] (b) (5)\n\n\n(U) Finding C. [Redacted]                (b) (5)                                   Had Not Been\nPerformed\n       (SBU) In FY 2014, IBWC completed a Business Impact Assessment, an Information\nSystem Contingency Plan, and acquired hardware to assist in contingency planning of its GSS.\nFurther, IBWC had established a manual contingency planning process for its SCADA systems.\nHowever, IBWC did not [Redacted] (b) (5)\n\n      (SBU) IBWC had not [Redacted] (b) (5)                                                             . NIST\nSP 800-34, Revision 1, 10 states that an organization [Redacted] (b) (5)\n\n\n                                        \xe2\x80\x9d IBWC had not performed [Redacted] (b) (5) due\nto insufficient time between the completion of its [Redacted] (b) (5) and OIG\xe2\x80\x99s site visit.\nHowever, by not[Redacted] (b) (5)\n\n\n10\n  (U) NIST SP 800-34, rev. 1, \xe2\x80\x9cContingency Planning Guide for Federal Information Systems,\xe2\x80\x9d Executive\nSummary, May 2010.\n                                              7\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n\n\n\n           (SBU) Recommendation 4. OIG recommends that the International Boundary and Water\n           Commission [Redacted] (b) (5)                                              , as required\n           by National Institute of Standards and Technology Special Publication 800-34,\n           Revision 1.\n\n           (SBU) Management Response: IBWC concurred with the recommendation, stating that\n           it is on target to [Redacted] (b) (5)                in FY 2014.\n\n           (U) OIG Reply: OIG considers the recommendation resolved. This recommendation\n           can be closed when OIG receives documentation from the [Redacted] (b) (5) .\n\n(U) Finding D. [Redacted] (b) (5)                                                                  to\nOutsider Attacks and Insider Threats\n\n        (SBU) Although IBWC owns the SBIWTP, the facility is operated by the contractor\nVeolia. 11 Veolia utilizes a SCADA system to monitor the wastewater treatment process that\nflows from Tijuana, Mexico. As previously noted, it is the responsibility of IBWC to ensure that\nthe SCADA system used at the [Redacted] (b) (5)                       .\n\n       (SBU) In April 2012, IBWC executed a contract amendment with Veolia that included an\nadditional $100,000 so that Veolia could [Redacted] (b) (5)\n                                                                                     According\nto IBWC officials, the $100,000 obligated in FY 2012 remains available until the task is\ncompleted. Because Veolia had not performed the required work, IBWC utilized subcontractor\nTruShield to develop a [Redacted] (b) (5)\n            Section 3544(a)(l)(A) of FISMA states:\n\n           The head of each agency shall be responsible for providing information security\n           protections commensurate with the risk and magnitude of the harm resulting from\n           unauthorized access, use, disclosure, disruption, modification, or destruction of (i)\n           information collected or maintained by or on behalf of the agency; and (ii)\n           information systems used or operated by an agency or by a contractor of an\n           agency or other organization on behalf of an agency.\n\n        (SBU) At the time of our fieldwork at SBIWTP in April 2014, no work had been\nperformed by Veolia or TruShield to make the [Redacted] (b) (5)               . Without\nIBWC ensuring that the SCADA system at the[Redacted] (b) (5)                       , there is\ngreater risk for outside attacks and insider threats.\n\n        (SBU) In addition, IBWC included Veolia-owned information technology inventory in\nthe Integrated Logistics Management System, which is strictly for Government-owned assets.\n\n11\n     (U) Veolia has been under contract with IBWC since October 1, 2010.\n12\n     (U) E-Government Act of 2002, Pub. L. No. 107-347, tit. III, 116 Stat. 2946 (2002).\n                                                  8\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\nAccording to NIST SP 800-53, Revision 3, 13 the organization \xe2\x80\x9cdevelops, documents, and\nmaintains an inventory of information system components that accurately reflects the current\ninformation system.\xe2\x80\x9d This occurred because IBWC tagged all inventory at its facility without\nfirst determining ownership. Without determining ownership of the inventory, IBWC is\ncomingling assets that do not belong to the Government resulting in inaccurate inventory which\ncould affect financial reporting.\n\n           (SBU) Recommendation 5. OIG recommends that the International Boundary and Water\n           Commission ensure its [Redacted] (b) (5)\n\n\n           (SBU) Management Response: IBWC concurred with the recommendation, stating that\n           it had excluded the Admin Network from IBWC inventory. In addition, IBWC\xe2\x80\x99s\n           Information System Security Manager will review and approve all equipment that\n           supports the SCADA systems [Redacted] (b) (5)           .\n\n           (U) OIG Reply: OIG considers the recommendation resolved. This recommendation\n           can be closed when OIG reviews the contractor-operated system [Redacted] (b) (5)\n\n\n           (SBU) Recommendation 6. OIG recommends that the International Boundary and\n           Water Commission (IBWC) determine ownership of information technology inventory\n           and update the Integrated Logistics Management System to accurately reflect IBWC\xe2\x80\x99s\n           current information system components, as required by National Institute of Standards\n           and Technology Special Publication 800-53, Revision 3.\n\n           (SBU) Management Response: IBWC concurred with the recommendation, stating that\n           it had completed a comprehensive inventory validation occurred in FY 2014. IBWC is\n           updating ILMS to ensure that only IBWC inventory is included. IBWC plans on\n           completing this in FY 2014.\n\n           (U) OIG Reply: OIG considers the recommendation resolved. This recommendation can\n           be closed when OIG reviews ILMS to determine that only IBWC inventory has been\n           included.\n\n(U) Finding E. IBWC Made Notable Improvements With its Information\nSecurity Program\n        (U) In FY 2014, OIG found that IBWC was in compliance with the FISMA requirements\nrelated to risk management, incident response and reporting, security training, plan of action and\nmilestones, remote access management, identity and access management, and security capital\nplanning. In addition, OIG found that IBWC had improved its compliance with FISMA\nrequirements related to contractor oversight and contingency planning. As a result, OIG closed\n\n13\n     (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cCM-8 Information System Component Inventory.\xe2\x80\x9d\n                                                9\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nthree prior year recommendations related to contractor oversight and one prior year\nrecommendation related to contingency planning. Further, OIG reviewed access controls,\npersonnel security, and physical and environmental protection and found IBWC had\nimplemented sufficient security controls.\n\n        (U) OIG would like to call attention to the work and dedication of IBWC officials during\nthe past 6 months to improve IBWC\xe2\x80\x99s security program. With top down leadership support,\nIBWC was able to close 22 of 27 OIG recommendations and IBWC continues to make progress\nin securing its information systems.\n\n\n\n\n                                         10\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n                              (U) List of Recommendations\n\n(SBU) Recommendation 1. OIG recommends that the International Boundary and Water\nCommission (IBWC) [Redacted] (b) (5)\n                                                , as required by National Institute of Standards\nand Technology Special Publication 800-53, Revision 3.\n\n(SBU) Recommendation 2. OIG recommends that the International Boundary and Water\nCommission [Redacted] (b) (5)\n                                      that includes [Redacted] (b) (5), as required by National\nInstitute of Standards and Technology Special Publication 800-53, Revision 3.\n\n(SBU) Recommendation 3. OIG recommends that the International Boundary and Water\nCommission [Redacted] (b) (5)\n                    as required by National Institute of Standards and Technology Special\nPublication 800-82.\n\n(SBU) Recommendation 4. OIG recommends that the International Boundary and Water\nCommission [Redacted] (b) (5)                                              , as required by\nNational Institute of Standards and Technology Special Publication 800-34, Revision 1.\n\n(SBU) Recommendation 5. OIG recommends that the International Boundary and Water\nCommission ensure its [Redacted] (b) (5)\n\n\n(SBU) Recommendation 6. OIG recommends that the International Boundary and Water\nCommission (IBWC) determine ownership of information technology inventory and update the\nIntegrated Logistics Management System to accurately reflect IBWC\xe2\x80\x99s current information\nsystem components, as required by National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\n\n\n\n                                         11\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                               (U) Appendix A\n                              (U) Scope and Methodology\n\n        (U) The Federal Information Security Management Act of 2002 (FISMA) requires each\nFederal agency to develop, document, and implement an agency-wide program to provide\ninformation security for the information systems that support the operations and assets of the\nagency, including those provided or managed by another agency, contractor, or another source.\nTo ensure the adequacy and effectiveness of these controls, FISMA requires the agency\xe2\x80\x99s\ninspector general or an independent external auditor perform annual reviews of the information\nsecurity program and to report those results to the Office of Management and Budget and the\nDepartment of Homeland Security. The Department of Homeland Security uses this data to assist\nin oversight responsibilities and to prepare its annual report to Congress regarding agency\ncompliance with FISMA. This audit was performed to comply with this requirement.\n\n       (U) The Office of Inspector General (OIG), Office of Audits, performed this audit from\nFebruary 2014 through May 2014. OIG performed site visits to the International Boundary and\nWater Commission (IBWC) headquarters in El Paso, TX; the South Bay International\nWastewater Treatment Plant and field office in San Diego, CA; Nogales International\nWastewater Treatment Plant in Nogales, AZ; Amistad Dam and field office in Del Rio, TX; and\nthe General Support System continuity of operations site in Las Cruces, NM.\n\n        (U) OIG conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that OIG plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for its findings and\nconclusions based on its audit objective. OIG believes that the evidence obtained provides a\nreasonable basis for its findings and conclusions based on the audit objective.\n\n       (U) To perform this audit, OIG interviewed IBWC senior management, employees, and\ncontractors to evaluate managerial effectiveness and operational controls in accordance with\nNational Institute of Standards and Technology, IBWC, and Office of Management and Budget\nguidance. OIG observed daily operations, obtained evidence to support OIG conclusions and\nrecommendations, and collected written documents to supplement observations and interviews.\n\n        (U) OIG discussed its preliminary findings with IBWC officials on March 27, 2014. OIG\nprovided IBWC with Notice of Findings and Recommendations on May 29, 2014. OIG held an\nexit conference with IBWC on June 26, 2014.\n\n(U) Work Related to Internal Controls\n\n        (U) OIG assessed the adequacy of internal controls by gaining an understanding of the\neffectiveness of IBWC\xe2\x80\x99s information security program as required by FISMA. OIG identified\nand discussed exceptions with IBWC officials to understand the reasons behind internal control\nchallenges. Through conversations with IBWC officials, OIG gained an understanding of the\npolicies and procedures related to IBWC\xe2\x80\x99s information security program. OIG learned how\nIBWC oversees the development of an information security program to protect information and\n                                               12\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\ninformation systems, to report timely results regarding the security posture of information and\ninformation systems, and to implement corrective measures to address previously identified\nFISMA findings and recommendations. OIG\xe2\x80\x99s conclusions on the internal control deficiencies\nidentified during this audit are detailed in the \xe2\x80\x9cAudit Results\xe2\x80\x9d section of this report.\n\n(U) Use of Computer-Processed Data\n\n        (U) The audit team used computer-processed employee background screening data during\nthe audit. To assess the reliability of the data, OIG reviewed documentation related to the\nbackground screening. Specifically, OIG traced the background screening documentation to\nposition descriptions to determine which individuals required additional background screening to\nperform their daily duties. OIG determined that the data were sufficiently reliable to support the\nconclusions and recommendations presented in this report.\n\n\n\n\n                                         13\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                                (U) Appendix B\n\n    (U) Office of Inspector General FY 2013 Federal Information Security\n           Management Act Report Statuses of Recommendations\n\n(SBU) Recommendation 1. OIG recommends that the International Boundary and Water\nCommission update and finalize its risk management framework to include all three tiers of\nmanaging risk, as required by National Institute of Standards and Technology (NIST) Special\nPublications (SP) 800-37, Revision 1, and the four risk management steps, as required by NIST\nSP 800-39.\n\n(U) Status: Closed March 2014. The International Boundary and Water Commission (IBWC)\nprovided the Office of Inspector General (OIG) with its risk management framework.\n\n(SBU) Recommendation 2. OIG recommends that the International Boundary and Water\nCommission (IBWC) determine the ownership and classification of the South Bay International\nWastewater Treatment Plant Admin Network and the Geographic Information System in\naccordance with Federal Information Processing Standards 199 and update the IBWC Inventory\nGuide.\n\n(U) Status: Closed March 2014. IBWC updated its inventory guide to relinquish the ownership\nof South Bay International Wastewater Treatment Plant (SBIWTP) Admin Network to a third\nparty and changed the classification of its Geographic Information System, a major application,\nto be classified as moderate.\n\n(SBU) Recommendation 3. OIG recommends that the International Boundary and Water\nCommission (IBWC) develop security authorization packages for all IBWC information systems\nbased on the determination of ownership and classification, as required by National Institute of\nStandards and Technology Special Publication 800-53, Revision 3.\n\n(U) Status: Closed March 2014. IBWC developed security authorization packages for its General\nSupport System and its two Supervisory Control and Data Acquisition systems.\n\n(SBU) Recommendation 4. OIG recommends that the Information Management Division\nestablish a [Redacted] (b) (5)                                                             for\nall International Boundary and Water Commission information systems, as required by National\nInstitute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 3, and\nas outlined in NIST SP 800-137.\n\n(U) Status: This recommendation has been reissued as Recommendation 1 (Finding A) of the FY\n2014 report and closed in the FY 2013 FISMA report.\n\n(SBU) Recommendation 5. OIG recommends that the International Boundary and Water\nCommission (IBWC) develop and implement policies and procedures for physical and\nenvironmental protection controls for IBWC assets to include information systems at\n\n\n                                         14\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nheadquarters and at each field office, in accordance with National Institute of Standards and\nTechnology (NIST) Special Publication (SP) 800-53, Revision 3, and NIST SP 800-82.\n\n(U) Status: Closed March 2014. IBWC provided OIG with its physical and environmental\nprotection policies and procedures.\n\n(SBU) Recommendation 6. OIG recommends that the International Boundary and Water\nCommission develop and implement [Redacted] (b) (5)\n                                             , as required by National Institute of Standards\nand Technology Special Publication 800-53, Revision 3.\n\n(U) Status: Closed March 2014. IBWC provided OIG with documentation to support that chain\nof custody procedures are in place for the access cards and remote gate devices.\n\n(SBU) Recommendation 7. OIG recommends that the Information Management Division\nupdate and implement its Plan of Action and Milestone Directive to include all information\nsystems, as required by National Institute of Standards and Technology Special Publication 800-\n53, Revision 3.\n\n(U) Status: Closed March 2014. IBWC provided its Plan of Action and Milestones for its\nGeneral Support System and two Supervisory Control and Data Acquisition systems.\n\n(SBU) Recommendation 8. OIG recommends that the Information Management Division\nupdate the Plan of Action and Milestone database [Redacted] (b) (5)\n\n             as stated in the International Boundary and Water Commission Plan of Action and\nMilestone Directive for all information systems.\n\n(U) Status: Closed March 2014. IBWC provided Plan of Action and Milestones which included\nall elements.\n\n(SBU) Recommendation 9. OIG recommends that the International Boundary and Water\nCommission complete a business case/Exhibit 300/Exhibit 53 to obtain the resources required to\nprotect its information systems, as required by National Institute of Standards and Technology\nSpecial Publication 800-65.\n\n(U) Status: Closed March 2014. IBWC provided documentation showing that the Office of\nManagement and Budget had confirmed that the requirement to complete a business case was not\napplicable to smaller agencies.\n\n(SBU) Recommendation 10. OIG recommends that the International Boundary and Water\nCommission prioritize resources to complete contingency planning documents for all\ninformation systems, as required by National Institute of Standards and Technology (NIST)\nSpecial Publication (SP) 800-53, Revision 3, and NIST SP 800-34, Revision 1.\n\n\n\n\n                                         15\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n(U) Status: Closed March 2014. IBWC provided OIG with a Business Impact Analysis and an\nInformation System Contingency Plan for its General Support System. IBWC\xe2\x80\x99s contingency\nplanning for its Supervisory Control and Data Acquisitions are manual controls.\n\n(SBU) Recommendation 11. OIG recommends that the International Boundary and Water\nCommission update, approve, and implement an incident response and reporting policy, to\ninclude the correlation of incidents for all information systems, as required by National Institute\nof Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 3, and NIST SP\n800-61, Revision 2.\n\n(U) Status: Closed May 2014. IBWC provided its incident response and reporting policies for its\nGeneral Support System and Supervisory Control and Data Acquisition systems.\n\n(SBU) Recommendation 12. OIG recommends that the International Boundary and Water\nCommission (IBWC) implement [Redacted] (b) (5)                              , as required by\nthe IBWC Configuration Management Directive and National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3.\n\n(U) Status: This recommendation has been reissued as Recommendation 2 (Finding B) of the FY\n2014 report and closed in the FY 2013 FISMA report.\n\n(SBU) Recommendation 13. OIG recommends that the International Boundary and Water\nCommission [Redacted] (b) (5)\n                                                                  as required by National\nInstitute of Standards and Technology Special Publication 800-82.\n\n(U) Status: This recommendation has been reissued as Recommendation 3 (Finding B) of the FY\n2014 report and closed in the FY 2013 FISMA report.\n\n(SBU) Recommendation 14. OIG recommends that the Information Management Division\nensure all new employees receive security awareness training before authorizing access to the\nnetwork, as required by National Institute of Standards and Technology Special Publication 800-\n53, Revision 3.\n\n(U) Status: Closed March 2014. IBWC provided new employee security awareness training\ncompletion records.\n\n(SBU) Recommendation 15. OIG recommends that the Information Management Division\nfinalize and implement its access control policy, which includes remote access, as required by\nNational Institute of Standards and Technology Special Publication 800-53, Revision 3.\n\n(U) Status: Closed March 2014. IBWC provided its finalized access control policy which\nincluded remote access.\n\n\n\n\n                                          16\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n[Redacted] (b) (5)\n\n\n\n(U) Status: Closed March 2014. IBWC implemented remote access controls to include\nmultifactor authentication, laptop encryption and unique identification of users.\n\n(SBU) Recommendation 17. OIG recommends that the International Boundary and Water\nCommission (IBWC) ensure all employees that require remote access capabilities for telework\ncomplete telework agreements and obtain appropriate approval, as required by IBWC\xe2\x80\x99s\nTelework Directive.\n\n(U) Status: Closed March 2014. IBWC provided telework agreements for all telework eligible\nemployees.\n\n(SBU) Recommendation 18. OIG recommends that the International Boundary and Water\nCommission identify and implement a multifactor authentication solution, to include a process\nfor resetting employee Personal Identification Numbers, for logical access to information\nsystems, as required by National Institute of Standards and Technology Special Publication\n800-53, Revision 3.\n\n(U) Status: Closed March 2014. IBWC implemented a multifactor solution, to include a process\nfor resetting employee Personal Identification Numbers, for logical access.\n\n(SBU) Recommendation 19. OIG recommends that the International Boundary and Water\nCommission [Redacted] (b) (5)\n                   , as required by the Federal Information Security Management Act Title\nIII, Section 3544.\n\n(U) Status: This recommendation has been reissued as Recommendation 5 (Finding D) of the FY\n2014 report and closed in the FY 2013 FISMA report.\n\n(SBU) Recommendation 20. OIG recommends that the International Boundary and Water\nCommission ensure that its Information Management Division is responsible for the oversight of\ninformation technology assets purchased and maintained by the contractor in support of\noperations at the South Bay International Wastewater Treatment Plant, as required by the\nNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-53,\nRevision 3 and NIST SP 800-82.\n\n(U) Status: Closed March 2014. IBWC ensured that its Information Management Division was\nresponsible for oversight of information assets purchased and maintained by the contractor.\n\n(SBU) Recommendation 21. OIG recommends that the International Boundary and Water\nCommission review and update the appointment letter of the existing contracting officer\xe2\x80\x99s\nrepresentative at South Bay International Wastewater Treatment Plant to include responsibilities\n\n                                         17\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nfor implementing Federal Information Security Management Act (FISMA) compliance for\ninformation system assets or appoint another individual the duties for overseeing the FISMA\ncompliance for information system assets.\n\n(U) Status: Closed March 2014. IBWC established an additional contracting officer\xe2\x80\x99s\nrepresentative with the responsibility for implementing FISMA.\n\n(SBU) Recommendation 22. OIG recommends that the International Boundary and Water\nCommission (IBWC) ensure its Information Management Division reviews and approves\nsoftware prior to installation on IBWC assets, as required by The Amendment of\nSolicitation/Modification of Contract M027.\n\n(U) Status: Closed March 2014. IBWC relinquished the SBIWTP Admin Network so therefore\nthis recommendation is no longer applicable.\n\n(SBU) Recommendation 23. OIG recommends that the International Boundary and Water\nCommission update position descriptions that require background screenings, incorporate\nappropriate risk designations with the position, and specify the requirement to obtain and\nmaintain the appropriate security clearance.\n\n(U) Status: Closed March 2014. IBWC updated position descriptions that required background\nscreenings.\n\n(SBU) Recommendation 24. OIG recommends that the International Boundary and Water\nCommission (IBWC) finalize suitability background screenings for both employees and\ncontractors, to include formal adjudication and clearance, as required by IBWC\xe2\x80\x99s Personnel\nSecurity and Suitability Directive.\n\n(U) Status: Closed March 2014. IBWC finalized suitability background screenings for both\nemployees and contractors.\n\n(SBU) Recommendation 25. OIG recommends that the International Boundary and Water\nCommission (IBWC), in coordination with the Bureau of Diplomatic Security, Security\nInfrastructure, Computer Security, and the Bureau of Resource Management, Deputy Chief\nFinancial Officer, Global Financial Management System, suspend IBWC employee access to\nOpenNet until employee background screenings are completed and adjudicated.\n\n(U) Status: Closed March 2014. IBWC suspended employee access to OpenNet for employees\nwho did not have completed and adjudicated background screenings.\n\n(SBU) Recommendation 26. OIG recommends that the International Boundary and Water\nCommission (IBWC), Information Management Division, provide annual certification to the\nDepartment of State Bureau of Resource Management indicating that all IBWC OpenNet users\nfully comply with Department of State requirements concerning OpenNet access.\n(U) Status: Closed March 2014. IBWC developed a formal certification process with the\nDepartment of State Bureau of Resource Management.\n\n                                         18\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n(SBU) Recommendation 27. OIG recommends that the International Boundary and Water\nCommission develop and implement a process for conducting and maintaining information\nsystem component inventory, to include all information system components concerning the\nSupervisory Control and Data Acquisition systems, as required by National Institute of Standards\nand Technology Special Publication 800-53, Revision 3, and the Federal Information Security\nManagement Act of 2002.\n\n(U) Status: This recommendation has been reissued as Recommendation 6 (Finding D) of the FY\n2014 report and closed in the FY 2013 FISMA report.\n\n\n\n\n                                         19\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                                                    (U) Appendix C\n                                   (U) IBWC Management Responses\n\n\n\n\n    \xe2\x80\xa2\n                                INTERNATIONAL BOUNDARY AND WATER COMMISSION\n                                          UNITED SfATES AND MEXICO\nOffiCI! OF nil 001\\l.IISSIONU\n   IJNTTID STATI\'SS!CTION                            July 29, 2014\n\n\n\n\n            Mr. Nonnan P. Brown\n            United Stales Department of State\n            Assistant Inspector General for Audits\n            Office of Inspector General\n            Washington, D. C. 20520\n\n            Subject: FY 2014 Audit of the International Boundary and Water Commission United States\n            Section (USIBWC), Information Security Program\n\n            Dear Mr. Brown,\n\n            We appreciate the opportunity to respond to the draft report of Audit of International Boundary\n            and Water Commission, United States and Mexico, U.S. Section, Information Security Program.\n            We appreciate your acknowledgement of the significant progress made by the agency over the\n            last year, and look forward to concluding the pending findings within the next year. We will\n            continue to keep your office posted on our continued progress towards full implementation of all\n            recommendations.\n\n            Please advise if you have any questions or if we may be of any assistance.\n\n\n                                                          s;""\'"\'Y\xc2\xb7~\n\n                                                     ~~   Commissioner\n\n\n             Attached: as stated\n\n\n\n\n                                                 20\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                       SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                              (U) List of Recommendations\n\n(SBU) Recommendation 1. OIG recommends that the Intemational Boundary and Water\nConunission [Redacted] (b) (5)\n                                                                                     as required\nby National Institute of Standards and Teclmology Special Publication 800-53, Rev ision 3.\n\nResponse: Concur\nThe USIBWC is obtaining an [Redacted] (b) (5)                                          , which\nwill include IT [Redacted] (b) (5)          from a third-party consultant as part oft he\n[Redacted] (b) (5)\n\n\n(SBU) Recommendation 2. OIG recommends that the lntemationai Boundary and Water\nCommission [Redacted] (b) (5)\n                           to include [Redacted] (b) (5) as required by National Institute of\nStandards and Technology Special Publication 800-53, Revision 3.\n\nResponse: Concur\n\'The US lBWC completed a risk assessment ofboth SCADA systems, which will lead to tl1e\n[Redacted] (b) (5) expected to be completed this FY. Implementation is planned for FY 2015,\nwhich will include the establislunent of a [Redacted] (b) (5)\n\n\n(SBU) Recommendation 3. OlG recommends that the International Boundary and Water\nConm1ission [Redacted] (b) (5)\n                    as required by National Institute of Standards and Technology Special\nPublication 800-82.\n\nResponse: Concur\nThe USIBWC completed a risk assessment of both SCADA systems, and the design for the\nNogales IWTP is underway. The design for the San Diego IWTP SCAD A system will be\ncompleted by end ofthe 2014. The award will be issued by end ofFY 2014. The\nimplementation of the [Redacted] (b) (5)\n                                      will be accomplished in FY 2015.\n\n(SBU) Recommendation 4. OIG recommends that the Intemational Boundary and Water\nCommission [Redacted] (b) (5)                                              , as required by\nNational Institute of Standards and Technology Special Publication 800-34, Revision 1.\n\nResponse: Concur\nThe USIBWC\'s plan is still on target to complete a [Redacted] (b) (5)\n       in FY 2014.\n\n\n\n\n                                   21\n                       SENSITIVE BUT UNCLASSIFIED\n\x0c                      SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                                                                                    Enclosure\n\n\n(SBU) Recommendation 5. OIG recommends that the Intemational Boundary and Water\nCommission ensure its [Redacted] (b) (5)\n[Redacted] (b) (5)    [Redacted] (b) (5)\n\nResponse: Concur\nThe O&M contract is being amended to officially exclude the Admin Network from\nUSIBWC systems inventory this FY. In addition, the !SSM as a designated Contracting\nOfficer Representative is required to review and approve all proposed equipment in\nsupport of the SCADA system. [Redacted] (b) (5)\n\n\n\n(SBU) Recommendation 6. OIG recommends that the lntemational Boundary and Water\nCommission (IBWC) detennine ownership of infonnation technoiOJ>\'Y inventory and update the\nIntegrated Logistic.<; Management System to accurately reflect IBWC\'s current infonnation\nsystem components, as required by National Institutes of Standards and Technology Special\nPublication 800-53, Revision 3.\n\nResponse: Concur\nA comprehensive inventory was conducted earlier in FY 2014, along with an inventory\nvalidation in June. The Integrated Logistics Management System is being updated to ensure that\nonly USIBWC\'s IT components are maintained in the system. All required updates will be\naccomplished FY 2014.\n\n\n\n\n                                  22\n                      SENSITIVE BUT UNCLASSIFIED\n\x0c                           SENSITIVE BUT UNCLASSIFIED\n\n\n(U) Major Contributors to This Report\nJerry Rainwaters, Director\nInformation Technology Division\nOffice of Audits\n\nSteve Matthews, Information Technology Manager\nInformation Technology Division\nOffice of Audits\n\nKenneth Bensman, Auditor in Charge\nInformation Technology Division\nOffice of Audits\n\n\n\n\n                                       23\n                           SENSITIVE BUT UNCLASSIFIED\n\x0c  SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n FRAUD, WASTE, ABUSE,\n OR MISMANAGEMENT\nOF FEDERAL PROGRAMS\n   HURTS EVERYONE.\n\n         CONTACT THE\n OFFICE OF INSPECTOR GENERAL\n            HOTLINE\n      TO REPORT ILLEGAL\n   OR WASTEFUL ACTIVITIES:\n\n\n         202-647-3320\n         800-409-9926\n      oighotline@state.gov\n          oig.state.gov\n\n   Office of Inspector General\n    U.S. Department of State\n         P.O. Box 9778\n     Arlington, VA 22219\n\n\n\n\n              24\n  SENSITIVE BUT UNCLASSIFIED\n\x0c'